Run traefik as dockeruser, and without host networking

This required port forwarding, a docker proxy, and a docker network, but the end result should be much more secure!
2022-01-15 23:44:06 +00:00
parent 1348eb8b1c
commit d5c7d94ac8
17 changed files with 150 additions and 6 deletions
--- a/ansible/roles/pve_docker/files/calibre/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/calibre/docker-compose.yml
@ -13,3 +13,10 @@ services:
    labels:
      - traefik.enable=true
      - traefik.http.routers.calibre.rule=Host(`calibre.jakehoward.tech`)
+    networks:
+      - default
+      - traefik
+
+networks:
+  traefik:
+    external: true
--- a/ansible/roles/pve_docker/files/librespeed/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/librespeed/docker-compose.yml
@ -14,3 +14,10 @@ services:
      - traefik.http.routers.librespeed.rule=Host(`speed.jakehoward.tech`)
      - traefik.http.routers.librespeed.middlewares=librespeed-auth@docker
      - traefik.http.middlewares.librespeed-auth.basicauth.users={{ librespeed_basicauth }}
+    networks:
+      - default
+      - traefik
+
+networks:
+  traefik:
+    external: true
--- a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml
@ -26,6 +26,9 @@ services:
      - traefik.http.services.nextcloud-nextcloud.loadbalancer.server.scheme=https
      - traefik.http.middlewares.nextcloud-hsts.headers.stsseconds=15552000
      - traefik.http.routers.nextcloud.middlewares=nextcloud-hsts@docker
+    networks:
+      - default
+      - traefik

  mariadb:
    image: mariadb:10.5
@ -43,3 +46,7 @@ services:
    restart: unless-stopped
    volumes:
      - /mnt/tank/dbs/redis/nextcloud:/data
+
+networks:
+  traefik:
+    external: true
--- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml
@ -18,6 +18,9 @@ services:
    labels:
      - traefik.enable=true
      - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`)
+    networks:
+      - default
+      - traefik

  db:
    image: postgres:14-alpine
@ -43,3 +46,10 @@ services:
      - traefik.http.routers.synapse-admin.rule=Host(`matrix.jakehoward.tech`) && PathPrefix(`/admin`)
      - traefik.http.middlewares.synapse-admin-path.stripprefix.prefixes=/admin
      - traefik.http.routers.synapse-admin.middlewares=synapse-admin-path@docker
+    networks:
+      - default
+      - traefik
+
+networks:
+  traefik:
+    external: true
--- a/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml
@ -27,6 +27,9 @@ services:
      - db
    tmpfs:
      - /config/log
+    networks:
+      - default
+      - traefik

  db:
    image: postgres:14-alpine
@ -36,3 +39,7 @@ services:
    environment:
      - POSTGRES_PASSWORD=tt-rss
      - POSTGRES_USER=tt-rss
+
+networks:
+  traefik:
+    external: true
--- a/ansible/roles/pve_docker/files/wallabag/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/wallabag/docker-compose.yml
@ -15,9 +15,16 @@ services:
      - traefik.http.routers.wallabag.rule=Host(`wallabag.jakehoward.tech`)
    depends_on:
      - redis
+    networks:
+      - default
+      - traefik

  redis:
    image: redis:6-alpine
    restart: unless-stopped
    volumes:
      - /mnt/tank/dbs/redis/wallabag:/data
+
+networks:
+  traefik:
+    external: true
--- a/ansible/roles/pve_docker/files/whoami/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/whoami/docker-compose.yml
@ -7,3 +7,10 @@ services:
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`who.0rng.one`)
+    networks:
+      - default
+      - traefik
+
+networks:
+  traefik:
+    external: true